JBoss 預設有一個網頁,上面可以看到主機安裝的模組,透過這些資訊,駭客將可以瞭解這部主機有那些弱點或漏動可以攻擊,在線上環境,這些服務應該都要被關閉才對。
How to disable status page for jboss (http://:8080/status)
Due to a possible information disclosure issue, remove access to the JBoss status page by following these steps for your version of the application server.
Step1: Go to jboss deploy folder (ex: cd /usr/local/jboss/server/default/deploy)
Step2: execute locate command as below
# find . -iname ROOT.war
Step3: Based on the output switch to the ROOT.war directory
Step4: Go to WEB_INF directory which will be under ROOT.war directory (ex: .../deploy/jboss-web.deployer/ROOT.war/WEB-INF/)
Step5: find web.xml file and open using vim editor
Step 6: Comment out the servlet and servlet-mapping tags as follows:
<!-- <servlet>Step1: Go to jboss deploy folder (ex: cd /usr/local/jboss/server/default/deploy)
Step2: execute locate command as below
# find . -iname ROOT.war
Step3: Based on the output switch to the ROOT.war directory
Step4: Go to WEB_INF directory which will be under ROOT.war directory (ex: .../deploy/jboss-web.deployer/ROOT.war/WEB-INF/)
Step5: find web.xml file and open using vim editor
Step 6: Comment out the servlet and servlet-mapping tags as follows:
<servlet-name>Status Servlet</servlet-name>
<servlet-class>org.jboss.web.tomcat.service.StatusServlet
</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>Status Servlet</servlet-name>
<url-pattern>/status</url-pattern>
</servlet-mapping> -->
3
Save and close the file.
Save and close the file.
以下文章摘自http://superuser.com/questions/501417/resolving-httpadaptor-jmxinvokerservlet-is-accessible-to-unauthenticated-remote
The http-invoker.sar Service
The http-invoker.sar found in the deploy directory is a service that provides RMI/HTTP access for EJBs and the JNDI Naming service. This includes a servlet that processes posts of marshaled org.jboss.invocation.Invocation objects that represent invocations that should be dispatched onto the MBeanServer. This effectively allows access to MBeans that support the detached invoker operation via HTTP because someone could figure out how to format an appropriate HTTP post. To secure this access point, you would need to secure the JMXInvokerServlet servlet found in the http-invoker.sar/invoker.war/ WEB-INF/web.xml descriptor. A secure mapping is defined for the /restricted/ JMXInvokerServlet path by default; to use it, you would simply have to remove the other paths and configure the http-invoker security domain setup in the http-invoker.sar/invoker.war/WEB-INF/jboss-web.xml descriptor.
沒有留言:
張貼留言